When viewing an attachment on a ticket if the user clicks "Download" and doesn't have the necessary privileges they are redirected to the login page. If the user doesn't have permission to download attachments maybe the link just shouldn't show up?
<hr><i>anonymous claiming to be anonymous added on 2010-09-04 07:37:43:</i><br>
What is the goal of forbidding attachment downloading while allowing to view it? User can just copy-paste text attachment or run a simple script to reconstruct binary attachment from shown hex-dump, so why do such restriction exist?
<hr /><i>anonymous added on 2010-09-27 08:51:10:</i><br />
Attachments and checkouts both result in files transferred from the repository to the user, but it is not clear that the same permission flag (checkout) should be used for both.
The wiki/ticket system attachments are informational in nature and could be of interest to users who are not developers, to whom checkout is usually restricted.
I suggest that ability to read a wiki/ticket should be sufficient privilege to download any attachment to it.